Support listing HTTPS archive mirrors

Bug #1255120 reported by Bryan Quigley on 2013-11-26
58
This bug affects 10 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Unassigned

Bug Description

Currently we support listing mirrors for http ftp and rsync [1]. We should support mirrors that want to be listed as supporting https as well.

There are a couple of other issues blocking this, currently we have only one mirror that works via HTTPS. (Some others like "https://mirrors.nl.eu.kernel.org/" don't work because *.kernel.org cert doesn't apply to it that domain)

[1] https://launchpad.net/ubuntu/+archivemirrors

Related branches

CVE References

William Grant (wgrant) on 2013-11-26
Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
tags: added: mirror

Given bugs like CVE-2016-1252 https://www.debian.org/security/2016/dsa-3733, I think it is now quite clear that apt package archives should always use HTTPS. Right now, all of the Ubuntu repo sections are available via HTTPS:

* https://spout.ussg.indiana.edu/linux/ubuntu
* https://mirrors.kernel.org/ubuntu
* https://mirror.cse.unsw.edu.au/pub/ubuntu-releases/

Bryan Quigley (bryanquigley) wrote :

A very incomplete patch.. more like notes of changes I was testing midway - posting in case it's useful to someone else pursing this. http://pastebin.ubuntu.com/24793948/

kepler-211c (kepler-211c) wrote :

How is this bug set to low priority?

Yes, the packages are signed. However, signing keys can be stolen. Additionally there are bugs such as CVE-2016-1252 mentioned above.

In today's world, multiple layers of security are mandatory.

This is not a drill, could this please get some attention?

Bodo Brance (bodobr) wrote :

Please mark this bug as security issue.

Vivien GUEANT (vivienfr) wrote :

CVE-2019-3462 : Remote Code Execution in apt/apt-get
=> https://justi.cz/security/2019/01/22/apt-rce.html

Is-it possible to reference on https://launchpad.net/ubuntu/+mirror/bouygues-telecom hosting Ubuntu mirror in http secure (https in addition of http and rsync)

Would it be possible to remove ftp, which is an obsolete protocol, and to add the possibility to the mirrors that wish to propose https in addition to http?

Note that Debian will no longer offer FTP from 1 November 2017: https://www.debian.org/News/2017/20170425.en.html the FTP protocol is inefficient and requires adding awkward kludges to firewalls and load-balancing daemons.

Andy Brody (abrody) wrote :

Is anyone else interested in contributing or reviewing patches here? I'd like to see this implemented.

Bryan, is your patch at http://pastebin.ubuntu.com/24793948/ still a useful starting point or do you think it would be too stale at this point?

Bryan Quigley (bryanquigley) wrote :

It should at least hint at where changes would need to be made. I don't think it's changed that much since then.

Alex N. (a-nox) wrote :

Like mentioned above CVE-2019-3462 puts this topic back into focus. It would be great to see which mirror supports https.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers